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How to Read Unauthorized Kernel Data 
From User Space? 
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Why is Hard? 


Strong Kernel-User Isolation (KUI) 
Enforced by MMU via Page Table 


Assume Kernel has NO implementation bug: 
No kernel vulnerability to arbitrarily read kernel data 
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Memory Access in KUI 


Virtual Address 


Lookup TLB 
Miss Hit 
Fetch Protection 
Page Table Check 


Denied Permitted 
Protection Physical 
SIGSEGV 
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Permission Checkings 


1: Page Table Permissions 
31/30|29|28/27|26|25|24|23|22|21|20/19 18/17 /16/15/1413 12/11 1o|9 | 8 7] 6/5 4 


Address of page directory! Ignored 


Bits 31:22 of address Reserved Bits 39:32 of P 
of 4MB page frame (must be 0) address A wows lal, 
P P 
Address of 4KB page frame Ignored |G| A A T 
T 


i » vna ERSTEN f Intel sd 
2: Control Registers, e.g.. SMAP in CR4 ages petion 
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Ei 
P 
Ignored 


OMU OMU OMU 


No Way to Go? 


1.Unprivileged App - 
2.KUI Permission Checking + 
3.Bug-free Kernel 


JUN 
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However, in order to 
gain high performance, 
1.Unprivileged App + 


CPU... 
LY 
2.Permission Checking + €K 


3.Bug-free Kernel G 
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CY 


LY 
Microarchitecture 


Speculative Execution + Out-of-order 
Execution 
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Speculative Execution 


No Speculative Execution 


Correct Prediction 
[pe 


— n 


Misprediction 
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Out-of-order Execution 


Example: Data Flow Graph 
(1) rl — r4 / r7 (1) (3) (4) 
(2) r8 € ri + r2 : 
(3) r5 e r5 #1 © 

(4) r6 «€ r6 - r3 i 

(5) r4 € r5 + r6 V y 

(6) r7 € r8 * rå (6) 


In-order execution 
| 1 [2 
nan 


Images are from Dr. Lihu Rappoport 


Speculative Execution + 
Out-of-order Execution 
Enough? 


Not Enough !!! 
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MEMORY 


Execution Engine — — A Branch Predictor in 
HE GSE (rå 


Front End Serving 


executes in a out- INSTRUCTION CACHE 1 
of-order way | Speculative Execution 
FETCH/FLOW E 
DECODE/BRANCH 3 
— il 
| 


Side effects in E T " = Permission checking 
cache are still is delayed to Retire 


there! | | COMPLETED INSTRUCTION 
nmm 


BUFFER Unit 
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Image from https://www.cse.msu.edu/~enbody/postrisc/postrisc2.htm 


Meltdown 
(v3) Works 


“volatile ( Point to the target 
kernel address 


\n" 
\n" 
\n" 
"movq (%[dest], %%rax, 1), %%rbx Wn" 


[addr] "^" Caddr), [dest] ”r" (dest) 
"%rax", "%rbx"); 
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Meltdown 2. Atransient instruction accesses a cache line 
(V3) based on the secret content of the register. 


Works 


Bring data into - volatile... L 

R An" 
"xorg **rax, %%rax \n" 
"movb (%[addr]), %%al \n" 
"shlg $0xc, %%rax An" 


cache 


"^ An" 
This number = movq (%[dest], 9 rax, 1), %%rbx Nn" 
should >= 0x6 : [addr] "r" (addr), [dest] "r" (dest) 
"%rax", "%rbx"); 


How 
Meltdown 


(v3) Works the chosen memory location. 


| I 
ofaifa2[ eee [254 [255 
EEE GE vv 


ArrayBase 256 Slots 


The selected index is the value of the target byte 
e.g., if the selected index is 0x65, the value is ‘A’ 
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3. The attacker uses Flush+Reload to determine the 
accessed cache line and hence the secret stored at 
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ForeShadow Attack 


P 


Put secrets in L1 Unmap Page Table Entry Meltdown 
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Sey 


How about Spectre (v1/v2)? 
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1. The setup phase, in which the processor is mistrained to 
make "an exploitable erroneous speculative prediction." 
e.g., x « array1 size 


How 
Spectre (v1) 
Works 


(x < arrayl size) 


1 Real Execution flow 
temp &= array2(array1[x])* l) and Speculative 


Execution go here 


T 
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2. The processor speculatively executes instructions from 


How the target context into a microarchitectural covert channel. 
e.d., X > array1 size 

Spectre (v1) ^? de 

Works 


(x < arrayi size) 


l Speculative 
Execution flow { Execution goes 
should go here temp &- array2[arrayl[x] * 512]; aa 


j 


i 


A slot of array2 is loaded 
into cache 
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How " | | 
3: The sensitive data is recovered. This can be done by 
Spectre timing access to memory addresses in the CPU cache. 


Works 


| I 
ofaifa2[ eee [254 [255 
EE RE `e 


Array2Base 256 Slots 


The selected index is the value of the target byte 
e.g., if the selected index is 0x66, the value is 'B' 
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v array1 and array2 are in user-space 
Y xis controlled by the adversary 


array1+x points to 
secret 


(x < arrayl size) 


temp &- anray2fGrrayi DD" 1; 
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Happy! We Get Kernel Data Now 


1.Unprivil D + 
2.Permiss ecking - 
3.Bug-fre nel 


S Al ER $ Sø” Advanced Al 


yo Ou : } ' amv -A (Gadget 


However... 


CR 
RES > 
"Ma Ve 
e ] 
S Al == 2 


Kernel 
Space 


Kernel 


Space 


User/kernel mode kernel mode User mode 


Before KPTI After KPTI PCID helps performance 
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User Mode 
(User Space) 


Supervisor 
Mode 
(kernel Space) 


SMAP 


Y SMAP is enabled when the SMAP bit in 
the CR4 is set 


v SMAP can be temporarily disabled by 
setting the EFLAGS.AC flag 


v SMAP checking is done long before 
retirement or even execution 


Even we put the Spectre 
gadget into the kernel 


e . 
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Attack and Mitigation Summary 


Spectre 
Meltdown 
ForeShadow 


Only for Kernel Data Leakage. For other aspects, the summary is not included here. 


After 
Mitigation, 
kern. Data 

Leakage? 


Yes KPTI + SMAP NO 
Yes KPTI NO 
Yes KPTI NO 
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Despalr... 


Baidu Security 
Image from http://nohopefor.us/credits E B 


Hope in Despair 


Kernel 
Space 


Kernel 


Space 


User/kernel mode kernel mode User mode 


Before KPTI After KPTI 
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New Variant Meltdown v3z 


Breaking SMAP # KPTI # user-kernel Isolation 


1: Use new gadget to build data- 
dependence between target kernel data 
and the bridge (bypass SMAP) 


2: Use Reliable Meltdown to probe 
bridge to leak kernel data 


(bypass KPTI and KUT) 
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Similar to Spectre gadget, but not exact the same 


Point to the 
target address 


(x < array. ss 4 


i 
dummy = are2i@rri fe) * + offset]; 
I 


x and offset should be controlled by the adversary!! 
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How to Trigger the New Gadget 


There are many sources to trigger the new gadget 


1: Syscalls 

2: /proc and /sys etc. interfaces 

3: Interrupt and exception handlers 
4: eBPF 

Oras 
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How to Find the New Gadget 


Source Code Scanning 


We use smatch for Linux Kernel 4.17.3, 
» Default config: 36 gadget candidates 
» Allyes config: 166 gadget candidates 


However, there are many restrictions to the gadget in real exploits 
v Offset range 
Y Controllable invocation 


v Cache noise 
v 


Binary Code Scanning?? 
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2nd Step: Probe Bridge 
| I 


of1if2]| eee [254 [255] User Space 
UserÅrravpas i eee n 
e M I 
Å FE | 
ofaif2| eee [254 [255] Bridge 


BridgeBase 


Obviously, in each round there are (256*256) probes 


To make the result reliable, usually we need multiple rounds 
r3: Baidu Security —— 
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Make it Practical/Efficient 


| I 
KER EN atè EE NET 


UserArrayBas * NM emm AA 
VG 


e - 
Lo[a[2] +++  [254[255] X Bridge 


BridgeBase 


User Space 


Why do we need to probe 256 times in Meltdown? 
If we know the value of the slot 0 of the BridgeBase, we probe it only once. 


Can we know the values in advance? 
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No for Meltdown (v3) 


Meltdown is able to read kernel data. 
But, it requires that the target data is in the CPU L1d cache. 


If the target data is NOT in L1d cache, 0x00 returns. 


We need reliably reading kernel data! 
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Reliable Meltdown (V3r) 


V3r has two steps: 


15 step: bring data into Lid cache 


(x « size) 1 
data X array[x]; Everywhere 


in kernel 


Ind step: use v3 getting data 


We test it on Linux 4.4.0 with Intel CPU E3-1280 v6, and MacOS 
10.12.6 (16G1036) with Intel CPU i7-4870HO 
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Put Everything Together 


Offline phase: 
» Use v3r dumping bridge data, and save them into a table 


Online phase: 

> 1st step: Build data dependence between target data and 
bridge slot 

> 2" step: Probe each slot of the bridge 


Efficiency: 
> from several minutes (even around 1 hour in certain 
cases) to only several seconds to leak one byte, 
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Demo Settings 


Kernel: Linux 4.4.0 with SMAP + KPTI 
CPU: Intel CPU E3-1280 v6 


In kernel space, we have a 
secret msg, e.g., xlabsecretxlabsecret, 
location is at, e.g., OxffffffffcOe7eOaO 
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Countermeasure Discussions 


Software Mitigations 


v Patch kernel to eliminate all expected gadgets 
Y Minimize the shared “bridge” region 
v Randomize the shared “bridge” region 


v Monitor cache-based side channel activities 
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Countermeasure Discussions 
Hardware Mitigations 
v Do permission checking during or even execution stage 
Y Revise speculative execution and out-of-order execution 
Y Use side channel resistant cache, e.g., exclusive/random cache 


v Add hardware-level side channel detection mechanism 
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Take Away 


Trinational Spectre and Meltdown can NOT steal kernel 
data with KPTI + SMAP + KUI enabled. 


Our new Meltdown variants is able to break the 
strongest protection (KPTI + SMAP + KUI). 


All existing kernels need to be patched to mitigate our 
new attack 
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